Pages

Wednesday, September 28, 2016

Latest Scripts for finding Java


I have in the past posted my script for finding instances of Java, on the servers I manage. I have since updated the script to I posted on this blog. You can still see the old script on this blog under the title "Checking Java Versions Remotely". My method of finding all the versions of Java on all the servers, consists of running two scripts. One script called check-java acts as a manager for the other script and gathers all the data into a nice report. The other script called stig-java does the actual work of finding Java on the target system.

In order for this script to work you will need to setup your SSH clients for auto login. If you don't know how to do this please refer to my post How to setup SSH Keys. This script doesn't need the automount in order to work.

What the scripts does.

First off you need to put both scripts in the same location. I put the scripts in the home directory in a folder called scripts. The main script, check-java copies the stig-java script to /tmp on all the servers. Then logs into all the servers, one at a time, and runs the stig-java script and sends the output to a file with the server's name. The check-java script then deletes stig-java form /tmp on all the servers. All those output files are then combined into a single file with extra lines removed.

The scripts have been test on Solaris 10, Red Hat 5 & 6 (RHEL) and SLES 11 and they work fine. On the Mac the colors don't work.


The check-java script
#!/bin/bash
# This script is for running the stig-java script on the servers.

SP=$(uname -n)

### Copy files section
echo -e "\e[1m Coping files \033[0m"
for host in $(cat COOP SOL SLES )
  do if  [ $host == $SP ]
        then cp ~/scripts/stig-java3 /tmp/stig-java3 2>/dev/null
        else scp -q stig-java $host:/tmp &>/dev/null
     fi
done
for host in $(cat ACAS RHEL)
do scp -q stig-java $host:/var/tmp
done
for host in $(cat TD)
do scp -q stig-java3 $host:/tmp &>/dev/null
done
echo -e "\e[1m                 Done copying files \033[0m \n"

### Running the stig-java script section
echo -e "\e[1mLooking for Java on Solaris Servers\033[0m "
echo "-------------------------------------------------"
for s in $(cat COOP SOL)
do echo -e "Checking $s "
ssh -qt $s /usr/local/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sol/$s
done
echo -e "\n\e[1mLooking Java on RHEL Servers\033[0m "
echo "-------------------------------------------------"
for r in $(cat ACAS RHEL)
do echo -e "Checking $r "
ssh -qt $r /usr/bin/sudo ~/scripts/stig-java &> ~/scripts/outputJ/rhel/$r || ssh -qt $r /usr/bin/sudo /var/tmp/stig-java &> ~/scripts/outputJ/rhel/$r
done
echo -e "\n\e[1mLooking Java on SLES Servers \033[0m "
echo "------------------------------------------------"
for l in $(cat SLES)
do echo -e "Checking $l "
  if [ $l == $SP ]
    then sudo ~/scripts/stig-java &> ~/scripts/outputJ/sles/$SP
    else
ssh -qt $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l || ssh -q $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l
  fi
done
echo -e "\n\e[1mLooking Java on Teradata Servers \033[0m "
echo "------------------------------------------------"
for t in $(cat TD)
do echo -e "Checking $t "
ssh -qt $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t || ssh -q $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t
ssh -q $t rm /tmp/stig-java3
done

# Clean Up
echo "Deleting tmp files"
for host in $(cat COOP SOL ACAS RHEL SLES)
do if [ $l == $SP ]
then rm /tmp/stig-java 2>/dev/null
else
ssh -q $host rm /tmp/stig-java 2>/dev/null ||ssh -q $host rm /var/tmp/stig-java
   fi
done
echo " "

# Finishing up
cat ~/scripts/outputJ/sol/*  > ~/scripts/outputJ/solM
cat ~/scripts/outputJ/rhel/*  > ~/scripts/outputJ/rhelM
cat ~/scripts/outputJ/sles/*  > ~/scripts/outputJ/slesM
cat ~/scripts/outputJ/td/*  > ~/scripts/outputJ/tdM

echo -e "\e[1m ------------------------ Solaris Servers -------------------------  \033[0m\n" > ~/scripts/outputJ/output
cat ~/scripts/outputJ/solM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ RHEL Servers -------------------------  \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/rhelM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ SLES Servers -------------------------  \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/slesM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ Teradata Servers -------------------------  \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/tdM >> ~/scripts/outputJ/output

egrep -v "(1.8.0_${1}|1.7.0_${2}|1.6.0_${3}|1.8.0.${4}|1.7.0.${5}|1.6.0.{6})" outputJ/output|more

The stig-java script
#!/bin/bash
# This script is for finding versions of Java on a server.
#
DATE=$(date)
echo -e "\e[1;34m <<<<<<<<<<<<<<<<<<<< $(uname -n)  >>>>>>>>>>>>>>>>>>>\e[0m "
echo -e "Last scanned on $DATE"

### Find Java Section
for s in $(find / \( -name 10_Recommended* -o -name scratch -o -name zones -o -name mnt \) -prune -o -type f -name java -print 2>/dev/null)
do ee=$($s -fullversion 2>&1 |awk '{print $4}' )
echo -e "\e[1m$ee\e[0m \t $s"
done
echo " "
### Find Packages Section
if [ SunOS == $(uname -s) ]
  then if [[ -z $(pkginfo |grep SUNWj[3-8]) ]]
then echo -e "\e[1mNo Java packages found\e[0m"
else echo -e "\e[1mPackages found:\e[0m \n$( pkginfo |grep SUNWj[3-8])"
fi
  else if [[ -z $( rpm -qa |egrep '(jdk|jre)' ) ]]
 then echo -e "\e[1mNo Java packages found\e[0m"
 else echo -e "\e[1mPackages found:\e[0m \n$( rpm -qa |grep -v SYMC|egrep '(jdk|jre)' )"
        fi
fi
### Find Directories Section
if [ SunOS != $(uname -s) ]
 then DF=$( ls -d /usr/java/j*  2>/dev/null )
if [[ -n $DF ]]
  then echo -e "\e[1mDirectories found:\e[0m\n$DF" 2>/dev/null
else echo -e  "\e[1mNo directories found\e[0m"
fi
fi

### STIG Java Check List Section
if [ -e /usr/java ]
   then JCKL="Passed Java Check List"
       if [ -e  /usr/java/jre/lib/deployment.properties ] &>/dev/null
           then grep deployment.security.askgrantdialog.notinca=false /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.askgrantdialog.notinca.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.crl=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.crl.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.ocsp=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.ocsp.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\033[0m"
           else JCKL="\e[1;31mFailed Java Check List\e[0m"
        fi
        if [ -e  /usr/java/jre/lib/deployment.config ] &>/dev/null #JRE0070 V-32901 CAT II
           then grep deployment.system.config=file:/usr/java/jre/lib/deployment.properties /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.system.config.mandatory=false /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
           else JCKL="\e[1;31mFailed Java Check List\e[0m"
        fi
   else echo -e "\e[1;34mNo System Java from Oracle Found \e[0m"
fi
echo -e "\e[1m$JCKL \e[0m"

This other script is used on the systems with spaces in the path
Put contents of files here
<<<<<<<<<<<<<<<<<<<< Linux server name  >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/bin/java
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/jre/bin/java

 Linux packages:
 java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el6_8.x86_64
java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el6_8.x86_64
jdk1.8.0_101-1.8.0_101-fcs.x86_64 )
Directories found:
/usr/java/jdk1.8.0_101
Failed Java Check List

Example output
root@earth> ./check-java
<<<<<<<<<<<<<<<<<<<< Linux server name  >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/bin/java
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/jre/bin/java

 Linux packages:
 java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el6_8.x86_64
java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el6_8.x86_64
jdk1.8.0_101-1.8.0_101-fcs.x86_64 )
Directories found:
/usr/java/jdk1.8.0_101
Passed Java Check List


Let me know if this script is helpful in anyway. If you need more details or have questions let me know, by posting below
at No comments:
Labels: ,

Thursday, September 22, 2016

Create user account and set password with one command

I often see forum posts where a System Administrators, wants to create local user accounts on several servers and doesn't want to have to have to set the user's password over and over again. Below I share two ways to do this. The first way creates the user account and sets the password in one command. The second method sets the password in a additional command. Ether way can be used in a script, which can speed things up if you need to create one or more accout on servel systems.

Below is an example of creating a user account.
root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash newuser
root@earth> passwd newuser
passwd: Changing password for username
New Password:
Re-enter new Password:
passwd: password successfully changed for newuser

This method can be very time consuming process and would be hard to use in script. Below is an example of how using the -p option in the useradd command, to set the user's password by setting the uses hash.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash -p '6$jbvkjjg$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/' newuser

This method works on Linux computers, such as SLES and RHEL. It however doesn't work on systems such as Solaris.

Alternately you can also set the users by echoing the password to standard in, as shown below. The major issue with doing it this way is that the password is recorded in the system logs and if your running the command remotely then your sending the password in the clear. So I don't recomend doing it this way.
root@earth> echo password | passwd newuser --stdin

 This method works only Linux systems.

Other posts with similar info
Linux User Account Creation & Customization
Adding a new user to a UNIX based system

References pages.
Online man page - useradd
Online man page - passwd
at No comments:
Labels: , , , , , , ,

Thursday, September 15, 2016

Setting up NFS & automount on RHEL


I believe that any Linux or UNIX server should start a very minimal build. Meaning that a server should only have the programs or packages installed that are needed for the operation of the server. To make some of my servers a little more functional I decided to install NFS and automount. This is so users can automount home directories and  mount external shares.

Follow the steps below to install NFS and autofs, so you can mount the NFS shares and mount home directories. The example below is on a RHEL 6 server.


To be able to mount NFS share you will need the following packages.
autofs
nfs-utils
nfs-utils-lib

Dependencies:
Hesiod
keyutils
libgssglue
libtirpc
python-argparse
rpcbind

Install the packages
root@server> yum install autofs  nfs-utils  nfs-utils-lib

To enable NFS shares you must add them to the /etc/fstab file. Example below.
10.12.12.8:/share /export/share  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
10.12.12.6:/cifs  /export/cifs  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
repos:/linux_repos /export/repos   nfs auto,ro,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0

To setup the automount funtion you need to edit the auto.home and auto.master files.
 Add the hostname or IP address line to /etc/auto.home
*             10.10.10.2:/home/&

Add this line to /etc/auto.master
/export/home /etc/auto.home -nolock,nosuid,noguid,nodev,nobrowse,noxattr --timeout 10

Restart services
root@server> service autofs restart
root@server> service rpcbind start
root@server> service nfs start

Ensure that autofs starts at boot
root@server> chkconfig –list autofs

Make mount points
Make the mount pint for all the mount points listed in the /etc/fstab file..
root@server> mkdir /export/share
root@server> mkdir /export/cifs
root@server> mkdir /export/repos


Note- make sure any host names used are added to the /etc/hosts file.

After following the steps above evey should be working. test the configuration by loggingin or becoming a user with a non local home directory. Also try to mount the shares.
root@server> mount /export/share

Check to see if the mount was successful.
root@server> df -h | grep share
Filesystem            Size  Used Avail Use% Mounted on
10.12.12.8:/share  9.8G  1.9G  7.5G  20%   /export/share

Please let me know if you have any questions.


at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)